UK: new data protection fee

The United Kingdom has announced plans to introduce a new “Data Protection Fee” to replace the current system of registration for data controllers.

Draft Regulations[1] were laid before Parliament on 20 February 2018 and the Information Commissioner’s Office (“ICO”), the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK, has now produced accompanying guidance.[2]

From 25 May 2018, the date the General Data Protection Regulation[3] (“GDPR”) comes into force, data controllers will have to pay an annual data protection fee to the ICO, unless they are exempt from doing so.

This new fee will replace the requirement to ‘notify’ (or register) under the Data Protection Act 1998, in line with the guidance to Member States to abolish general and indiscriminate systems of registration under Recital 89 of the GDPR.

Those controllers who have a current registration (or notification) will not be required to pay the new fee until their existing registration expires, at which point the ICO will contact them with details of the new fee.

Parliament has set the fees based on its perception of the risks posed by controllers processing personal data. The amount payable depends upon staff numbers and annual turnover or whether the controller is a public authority, a charity or a small occupational pension scheme. Not every controller must pay a fee – there are exemptions.

The fees are:

Tier 1 – Micro Organisations

Maximum turnover of £632,000 for the financial year OR no more than 10 members of staff.

Fee for Tier 1 = £40.

Tier 2 – Small and Medium Organisations

Maximum turnover of £36 million for the financial year OR no more than 250 members of staff.

Fee for Tier 2 = £60.

Tier 3 – Large Organisations

Those not meeting the criteria for Tier 1 or Tier 2.

Fee for Tier 3 = £2,900.

All controllers will be regarded as Tier 3 unless they tell the ICO otherwise.

 A £5 discount applies to those who elect to pay by Direct Debit.


Where there is a group of companies, the turnover should be calculated for each separate company within the group; it is not the overall group figure. A ‘Company’ is defined as one registered under the Companies Act 2006, therefore, the turnovers of those not so registered will not count when calculating the appropriate fee.  This is in contract with the GDPR concept of undertakings (or groups of undertakings) whereby, for example, administrative fines can be set by reference to the turnover of a group of related entities.

Members of staff:

All employees, workers, office holders and partners should be counted, with each part-time member of staff being counted as one member of staff. The applicable number is the average number working during the financial year.


  • Public authorities do not need to take turnover into account, they should categorise themselves according to staff numbers only.
  • Charities, that are not otherwise exempt, will only pay the Tier 1 fee.
  • Small occupational pension schemes,



No fee is payable if personal data is only being processed for one or more of the following purposes:


  •  Staff administration;
  • Advertising, marketing and public relations;
  • Accounts and records;
  • Not-for-profit purposes;
  • Personal, family or household affairs;
  • Maintaining a public register;
  • Judicial functions;
  • Processing personal information without an automated system such as a computer.

Being exempt from paying a fee does not make the controller exempt from complying with all other data protection obligations.


The maximum penalty for a controller who breaks the law by not paying a fee (or not paying the correct fee) is a fine of £4,350 (150% of the top tier fee).

[1] The Data Protection (Charges and Information) Regulations 2018. Available from:

[2] The data protection fee – A guide for controllers, ICO, 21 February 2018. Available from:

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Available from: